IAS & Firewall configuration (NAT)

Similar Messages

• Firewall - Configuration/GUI of the Mac OS X 10.6 / 10.7 Firewall

  First I would like to thank Apple
  for making the Mac OS X operating system.
  And thank you for the Lion update coming soon.
  We properbly all are waiting to get the
  Mac OS X 10.7 Lion update.
  I have seen the full feature list of Lion:
  http://www.apple.com/macosx/whats-new/features.html
  All the great new innovation and apps is great stuff.
  But I came to wonder about one thing though.
  The internet apps like:
  FaceTime, iCloud, iChat, AirDrop etc.
  They more or less all requires custom ports on different
  protocols to be opened and configurated.
  Even the SIP for Facetime has to be enabled etc.
  Like the FaceTime Firewall ports here:
  http://support.apple.com/kb/HT4245
  In the full feature list page of Mac OS X Lion
  there is not listed anything about the Mac OS X Lion Firewall!
  In Snow Leopard we can't configurate the Firewall with
  custom ports and protocols etc.
  Everybody refer to the Hanynet NoobProof and WaterRoof
  firewall apps. I'm using the NoobProof my self right now.
  http://www.hanynet.com
  But I think the Mac OS X Snow Leopard and Lion could do with a
  much better and way more easier firewall GUI to be able to
  configurate ports and protocols and firewall rules and even NAT.
  Isn't the Mac OS X about doing it the easy way!
  I think a Firewall in Mac OS X with only a On and Off button (more or less)
  wont cut it any longer!
  For people not knowing about Firewall its OK to have an On/Off button,
  but for the user that know about firewall, ports and protocols
  it would be great to have a button to go in an be able to configurate
  making rules and opening ports on specific protocols and doing NAT etc.
  The Mac OS X Firewall GUI created by Bryan Hill called
  "Brickhouse" and now called "Flying Buttress"
  updated last in 2005!
  (Which I could NOT get to work in Snow Leopard)
  it had a very good and easy
  to use Graphical User Interface. (GUI).
  See it here:
  http://www.securemac.com/firewallsecurityshareware.php
  Why isn't there any like that for the present Mac OS X????
  Anybody know anything that will help in that direction???
  Anybody know a nicer firewall GUI or App for
  Snow Leopard / Lion ???
  Please comment here.
  Best regards
  Jesper
  from Denmark.

  Thank you very much for responding to my thread Thomas and roam.
  Wheter it is a question to run a firewall on Mac OS X or not,
  is not my question. And thank you, but I do know the difference between a
  GUI for the Mac OS X built in firewall and a 3rd party stand alone firewall.
  If I and properbly many other Mac OS X users choose to run with a firewall,
  many of us would like to be able to configurate as WE want it to be.
  Many users have special needs that require speciel configuration of the firewall.
  There are other things than Apple network technologies you know!
  Running a firewall or not. There is Pro's and Con's on both. It's a free choise right. I respect both.
  I have 8 CPU cores and 16 threads on my Mac Pro, so I think my Mac can handle a running firewall!
  "Better safe, than sorry!" As they say "Over there".
  ;o)
  Apple has chosen to make a firewall in
  Mac OS X, then there must be a reason why it is there.
  And besides that.
  I would bet that, the more popular the
  Mac computers gets in the future and the more marketshare
  the Mac computers get over the hopeless Windows platform.
  The more hackers will be interesting in hacking the Mac OS X.
  So a firewall would be something to consider the more Apple has success.
  I think that is quite logical.
  I'm sure there is almost as many undiscovered security holes in UNIX
  as there is on the Windows platform. It is just a question of time
  before the hackers will point their weapons against the Mac OS X.
  So let me explain a bit more precise what I need…
  I'm used to configurate lots of hardware Routers with Firewalls. Doing things like creating firewall rules, opening ports on specific protocols, WAN-to-LAN and LAN-to-WAN, NAT IP redirection, enabling SIP, content filtering, wireless accesspoints with encryption and MAC Address filtering, creating VPN tunnels, setting up Remote Desktop on Windows and Mac computers for Terminal Servers etc.
  I'm also administrating FTP servers and NAS harddisks.
  All that is always being configurated in a nice intuitive user interface via my web browser. Wheter it is a Router, NAS disk etc. THATS WHAT I WANT with the Firewall in Mac OS X. An "intuitive graphical user inteface" where I easily can configurate the Mac OS X firewall or a stand-alone firewall for that matter.
  Yes I self use on my Mac Pro the Hanynet NoobProof firewall GUI right now.
  But both the Hanynet firewall GUI's are crap. Lets face it!
  They work yes! But the User Interface is NOT Mac OS X standard right!!!
  If you pair the user interfaces with standard unser interfaces of a normal end-user Gateway Router with Firewall. Like ZyXEL, NetGear etc.
  The Hanynet NoobProof don't have the feature to
  choose ports on specific protocols.
  With Apple FaceTime there are ports on both the
  TCP and UDP protocols that has to be open for communication.
  On the other side the Hanynet WaterRoof GUI
  I know that it has the features to configurate ports on specific protocols but!
  The User Interface is waaaaaaaay too complex and is anything else than intuitive!
  I can't find ether head or tale in WaterRoof GUI!!! Completely Lawsy Interface. It is SO non Mac like!
  (it needs a interface designer like myself)
  I mean, "The Mac" and Mac OS X is all about doing things the "EASY, Nice and Intuitive Way" right!
  I can't be that I'm the only one in the world that need a better and faster configuration of the Mac OS X firewall, can it?! There must be hundred thousands of other Mac OS X users with the same wish.
  I know I'm a "designer", not a "programmer".
  The only thing I program is HTML, CSS and DVD Video titles.
  So with all due respect.
  *** The question is…
  Does anybody know a Firewall GUI or stand alone firewall for Mac OS X Snow Leopard/Lion that are easier than Hanynets????????????????
  =========
  If I was an Apple employed that delt with Mac OS X security.
  I would make the Mac OS X firewall user interface different.
  Top level choise could be: ON, OFF and CUSTOM.
  So people with non knowledge of firewalls could just choose ON or OFF
  to their liking. And leaving the choise for people that would like
  to customize the firewall settings with the "Custom" button.
  And there after a nice intuitive graphical user interface
  to make all sorts of custom settings JUST like on a Gateway Router with built in firewall.
  A firewall like that could not hurt anybody could it???!!!
  It's MY Mac, I want to rule over MY firewall.
  I like the Mac OS X very much, I think it is absolutely brilliant,
  but the Firewall settings is NO GOOD for custom firewall configurations.
  Apple has to pay attention to it, the sooner the better.
  Please feel free to comment.
  Best regards
  Jesper
  Denmark.

• Replacing BM on NW with the ISP firewall and NAT

  Replacing BM on NW with the ISP firewall and NAT
  Hi!
  LAN is a tree with 3 servers:
  1. NW 6.5 sp8 + BorderManager 3.9 sp 2
  2. NOWS SBE 2.5 (Suse) - DNS\DHCP
  3. NOWS SBE 2.0 (Suse)
  Since I'm connected to the internet through my ISP router (XBOX- Checkpoint), I am considering to remove the first server (firewall) and ask my ISP ro configure the router as a firewall and NAT too.
  What are the steps needed to do it without any demages?
  TIA
  Nanu

  nanu,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Basic Firewall configuration

  Hello all,
  I've been using Solaris 11 Express to host a server, and no matter what I do with the firewall gui utility, it won't open the ports I want to open. It clearly retains changes I made as root, but still I get connection refusals from my clients. I noticed also when I used the firewall utility, it never seemed to accept my role password for root, it just kept asking over and over again without giving me an error. I eventually made it so I could log in as root and force changes, which is how I got it to retain the changes I wanted without getting stuck in the role/credential loop. However, like I mentioned before, it's like the changes I made aren't active somehow. I've also tried disabling the firewall entirely, which seems to make no difference. Are there any good Solaris 11 Express / Firewall configuration guides out there?
  Thanks.

  There were some bugs in the area of root being a role and the Visual Panels client (and its back end RAD). I highly recommend
  you upgrade to Solaris 11 or even better Solaris 11.1 (which was announced at Oracle OpenWorld 2012 and will be available soon).
  If you can still reproduce this behaviour there we can investigate fixing it. Solaris 11 Express is no longer a supported release.

• Windows 2008 R2 - IPSEC Firewall Configuration

  Hi,
  I want to open IPSEC between two servers with a firewall in between them.  Both servers are Windows 2008 R2.   I want to limit the IPSEC so that only data can flow from Intranet Server 1 to DMZ server1.  (I don't want to allow DMZ server
  to initiate data transfer to intranet)   So, this IPSEC rule is for ONE WAY traffic.
  I have asked my network team to open the following ports:
  From Server1 on intranet to Server2 in DMZ:
  UDP 500
  protocol type 50
  Protocol type 51
  However, the IPSEC connectivity is failing.  The server does not appear to be NEGOTIATING security.  To simply the configuration, I am currently only using a passphrase to authenticate the IPSEC.
  I am wondering if I have to open the same firewall ports from the DMZ to the intranet too.  Can anyone confirm if the ports must be enabled in both directions to have IPSEC work?  and if this is the case, I guess I would have to rely on the IPSEC
  policy itself to BLOCK communication from the DMZ to the Intranet.

  Hi,
  Would you please tell us that how did you configure the IPsec policy?
  Have you assigned the IPsec policy after you configured it?
  In addition, when configuring IP filters for traffic that must be secured, make sure to mirror the filters.
  More information for you:
  Windows 2008 R2 - IPSEC Firewall Configuration
  http://technet.microsoft.com/en-us/library/cc730656.aspx
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  http://technet.microsoft.com/en-us/library/bb742429.aspx
  Best Regards,
  Amy

• B2B with Firewall configuration for Outgoing messages

  Hi,
  We have put B2B midtier within Intranet. We have firewall configuration for our network.
  When B2B sends the business message to remote trading partner.The connection first hits the firewall. Inorder to pass through the firewall what ports do we need to open on firewall ..?
  Any suggestions..?
  Thakls

  Hello Praveen,
  Please use B2B in the rever proxy configuration with OHS. Pleae refer to 5.5 Configuring Reverse Proxies and Load Balancers in the Oracle® HTTP Server Administrator's Guide 10g Release 2 (10.1.2)
  In tip.properties pleae give proxy host and port (10.60.15.24 and port 4085) and restart the B2B server and follow above document for configuring OHS in reverse proxy mode by changing the http.conf
  Please let me know.
  Rgds,Ramesh

• Cannot get NAT & Firewall configured correctly.

  Hi,
  I have spent days reading and trying to get this to work with no luck.
  I am trying to open port 3389 for RDP to an internal PC.
  I am also trying to get a H.323 IP phone to communicate to the PBX. I have tried allowing all communications from my home office IP addrerss through the dialer1 interface, but still no go.
  Info regarding the installation:
  Cisco 880 Series Router
  DSL service into the building - PPPoe Dialler1 Interface
  VLAN1 - Internal Network 1 - Gateway 192.168.1.1
  VLAN2 - Internal Network 2 (currently no devices on network) - Gateway 192.168.2.1
  VLAN3 - Wireless Network - Gateway 192.168.3.1
  PBX is on VLAN1 - 192.168.1.10
  Current config:
  show run
  Building configuration...
  Current configuration : 6141 bytes
  ! Last configuration change at 22:11:10 PCTime Sat Jan 3 2015 by nathan
  version 15.2
  no parser cache
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname BladePile
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  enable secret 5 XXXXXXXXXXXXXXXXXX
  enable password 7 XXXXXXXXXXXXXXXXXXX
  no aaa new-model
  memory-size iomem 10
  clock timezone PCTime 10 0
  clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-3103805736
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3103805736
   revocation-check none
   rsakeypair TP-self-signed-3103805736
  crypto pki certificate chain TP-self-signed-3103805736
   certificate self-signed 01
    XXX
    quit
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp excluded-address 192.168.2.1 192.168.2.50
  ip dhcp excluded-address 192.168.3.1 192.168.3.50
  ip dhcp pool vlan1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 203.134.64.66 203.134.65.66
   lease 7
  ip dhcp pool vlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 203.134.64.66 203.134.65.66
   lease 7
  ip dhcp pool vlan3
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 203.134.64.66 203.134.65.66
  no ip bootp server
  ip name-server 203.134.64.66
  ip name-server 203.134.65.66
  ip cef
  no ipv6 cef
  ipv6 spd queue min-threshold 30
  ipv6 spd queue max-threshold 31
  multilink bundle-name authenticated
  license udi pid CISCO887VA-SEC-K9 sn XXXXX
  archive
   log config
    hidekeys
  username XXXXX privilege 15 password 7 XXXXXXXXXXXXXXX
  controller VDSL 0
  ip tcp synwait-time 10
  interface Ethernet0
   description $ETH-WAN$
   ip address dhcp client-id Ethernet0
   ip nat outside
   ip virtual-reassembly in
   ip tcp adjust-mss 1452
   shutdown
  interface ATM0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   no atm ilmi-keepalive
   hold-queue 224 in
   pvc 0/16 ilmi
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface FastEthernet0
   switchport trunk allowed vlan 1-3,1002-1005
   switchport mode trunk
   no ip address
  interface FastEthernet1
   no ip address
   spanning-tree portfast
  interface FastEthernet2
   switchport access vlan 2
   no ip address
   spanning-tree portfast
  interface FastEthernet3
   switchport access vlan 3
   no ip address
   spanning-tree portfast
  interface Vlan1
   ip address 192.168.1.1 255.255.255.0
   ip access-group 101 in
   ip nat inside
   ip virtual-reassembly in
   hold-queue 32 in
   hold-queue 100 out
  interface Vlan2
   ip address 192.168.2.1 255.255.255.0
   ip access-group 102 in
   ip nat inside
   ip virtual-reassembly in
   hold-queue 32 in
   hold-queue 100 out
  interface Vlan3
   ip address 192.168.3.1 255.255.255.0
   ip access-group 103 in
   ip nat inside
   ip virtual-reassembly in
   hold-queue 32 in
   hold-queue 100 out
  interface Dialer0
   no ip address
   no cdp enable
  interface Dialer1
   ip address negotiated
   no ip unreachables
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap callin
   ppp chap hostname XXXXXXXXXXXXXXX
   ppp chap password 7 XXXXXXXXXXXXXXXX
   ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXX
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip flow-top-talkers
   top 10
   sort-by bytes
  ip nat inside source list 100 interface Dialer1 overload
  ip nat inside source static tcp 192.168.1.20 3389 interface Dialer1 22000
  ip nat inside source static tcp 192.168.1.55 3389 interface Dialer1 22001
  ip route 0.0.0.0 0.0.0.0 Dialer1
  logging trap debugging
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 100 permit ip 192.168.2.0 0.0.0.255 any
  access-list 100 permit ip 192.168.3.0 0.0.0.255 any
  access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 101 permit ip any any
  access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 102 permit ip any any
  access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 103 permit ip any any
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  line con 0
   no modem enable
   stopbits 1
  line aux 0
  line vty 0 4
   exec-timeout 40 0
   privilege level 15
   password 7 XXXXXXXXXXXXXXXXXX
   login local
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  sntp server 192.189.54.17
  end

  Thanks for the additional information which does clarify several things. I am glad that the RDP issue is resolved and that it was not a router issue.
  It is helpful to know that the phones that are in vlan 1 are working. And it is not surprising that a phone at your home office accessing via the Internet is not working. The essence of the problem with the phone at the home office is what IP address does it attempt to access? The config that you posted shows that devices inside (which should include the phone system) are getting dynamic address translation. So it is not feasible for a device from outside to initiate traffic to an inside device. I would suggest that this is essentially the problem that you faced in trying to support RDP from outside. So the solution for your home office phone would be similar to the solution for RDP (but will be more complex because of the greater number of ports involved).
  To answer your question about whether the ports can be opened only to one IP address depends on how the network in your home office is working. Does it ALWAYS have the same IP going to the Internet. If so then you could do a static translation for the ports specifying the source address and the destination address. If it is variable they you need to do the translation for any source address.
  HTH
  Rick

• Gshield firewall configuration

  Hi,
  I am using firehol and it works ok, but I can't get gshield firewall to work on my laptop.
  I have looked at the gShield.conf file a number of times, but the explanations in the file are just not clear enough to work out what to do.
  My laptop is on ip 192.168.0.2, server is 192.168.0.100-I am using a netgear adsl modem/router with 4 ports, so I don't think i need NAT for 192.168.0.0/24 because the router does that.
  How do I configure a ssh connection so I can login to the server-gshield just drops the connection
  How do I configure NFS, bittorrent and IRC-gshield blocks the lot.
  I have looked all over the net for a user guide, but nothing out there.
  Thanks for any help.

  Ok, great. Now THAT ZIP file worked perfectly! (I wonder what is wrong with the ZIP on the website?) Anyway, now I have copied the PL file to the management server (which is a Windows Server 2003 machine with the latest version of Active Perl installed.) When I attempt to run the Perl script (using perl zoompix.pl" I receive the following error:
  Can't locate Date/Calc.pm in @INC (@INC contains: c:/Perl/site/lib c:/Perl/lib .
  ) at c:\zoompix\zoompix.pl line 26.
  BEGIN failed--compilation aborted at c:\zoompix\zoompix.pl line 26.
  The only calc.pm file that I can find is located at C:\Perl\lib\Math\BigInt.
  Any ideas?
  Thank you for all of your previous help!
  Tony

• Firewall configuration between clusters

            We are planning our web infrastructure as follows:
            internet ----> firewall(1)+HD loadbalancer -----> Weblogic
            cluster (servlet/JSP) ----> firewall (2) ----> Weblogic
            cluster (EJBs)
            The reason we want to put a firewall between servlet clsuter
            and EJB cluster is that anything goes wrong in the front
            presentation cluster, our mission critical business cluster
            is not to be touched.
            Now, what are the requirement for the configuration of firewall
            2. I have the following question in mind:
            1:) I seem to remember reading on the document that we must
            bind the DNS name to the naming lookup directory, TRUE?
            2:) As this is a pure JAVA environment, I assume the communiation
            between servlet and EJBs will occcur through RMI. Does
            Weblogic use a specific port to listen to RMI request on
            server side (EJB cluster)? If so, how do I find out what
            it is?
            3:) Is it sufficient enough to just allow the above mentioned
            port open in my firewall 2 to enable the Serlvet/EJB
            connection?
            What if I have multiple Servlets talking to multiple EJBs
            at the same time? Do all these communication go through
            the same port?
            Thanks
            

  Danny,
            > 1:) I seem to remember reading on the document that we must
            > bind the DNS name to the naming lookup directory, TRUE?
            In the document it spends 90% of the time talking about DNS. Needless to
            say, you typically don't have to make any DNS settings at all.
            > 2:) As this is a pure JAVA environment, I assume the communiation
            > between servlet and EJBs will occcur through RMI. Does
            > Weblogic use a specific port to listen to RMI request on
            > server side (EJB cluster)? If so, how do I find out what
            > it is?
            If I understand correctly, Weblogic often uses RMI over T3 (their own RMI
            implemetation). That would use 7001 by default.
            > 3:) Is it sufficient enough to just allow the above mentioned
            > port open in my firewall 2 to enable the Serlvet/EJB
            > connection?
            Yes.
            Just remember, if your servlets can get through the firewall to your ejb
            servers, then so can anything else that gets there.
            Cameron Purdy
            Tangosol, Inc.
            http://www.tangosol.com
            +1.617.623.5782
            WebLogic Consulting Available
            "Danny" <[email protected]> wrote in message
            news:[email protected]...
            >
            > We are planning our web infrastructure as follows:
            >
            > internet ----> firewall(1)+HD loadbalancer -----> Weblogic
            > cluster (servlet/JSP) ----> firewall (2) ----> Weblogic
            > cluster (EJBs)
            >
            > The reason we want to put a firewall between servlet clsuter
            > and EJB cluster is that anything goes wrong in the front
            > presentation cluster, our mission critical business cluster
            > is not to be touched.
            >
            > Now, what are the requirement for the configuration of firewall
            > 2. I have the following question in mind:
            >
            > 1:) I seem to remember reading on the document that we must
            > bind the DNS name to the naming lookup directory, TRUE?
            >
            > 2:) As this is a pure JAVA environment, I assume the communiation
            > between servlet and EJBs will occcur through RMI. Does
            > Weblogic use a specific port to listen to RMI request on
            > server side (EJB cluster)? If so, how do I find out what
            > it is?
            >
            > 3:) Is it sufficient enough to just allow the above mentioned
            > port open in my firewall 2 to enable the Serlvet/EJB
            > connection?
            >
            > What if I have multiple Servlets talking to multiple EJBs
            > at the same time? Do all these communication go through
            > the same port?
            >
            > Thanks
            

• Solaris 10 Firewall configuration with a GUI application

  Hello,
  I am quite a novice regarding Solaris.
  I have searched for hours on the web for a safe GUI application with which I can configure the
  firewall on Solaris 10 05/2009 in order to surf the Internet. Unfortunately I have not found one but
  lots of instructions instead on how to modify various config file setting, which I do not understand.
  My Solaris books are also of no help.
  Is there a precompiled GUI tool available similar to the one shipped with OpenSUSE's yast ?
  I think such a tool would make Solaris much more attractive for non-sysadmins - also because of
  its excellent hardware support that is superior to Linux.
  Thank you,
  Alexander

  IPF studied in little chunks is really easy to manipulate.
  Fortunately there is a doc that splits up IPF into little chunks with each new chunk building on all of the old chunks.
  http://www.obfuscation.org/ipf/ipf-howto.txt
  Then all you need to do is to create /etc/ipf/ipf.conf
  and
  svcadm enable ipfilter
  alan

• Firewall configuration in OSX 10.8

  Dear all,
  In order to add custom firewall rules to my Mac, I was looking for an easy way to configure the built-in firewall. Many posts point to IceFloor, which seems to be a nice frontend. However, although I've enable SSH and it is listed as an exception in the simple OSX 10.8 firewall GUI, I don't see this exception anywhere in IceFloor.
  Is there a way to see the currently applied firewall rules in (Mountain) Lion from the command-line or IceFloor?

  Yes there is.
  for PF:
  sudo pfctl -sr
  for every "anchor", you can list the dynamic rules like this:
  sudo pfctl -a "myanchor" -sr
  for IPFW:
  sudo ipfw show

• Server Firewall Configuration

  Hi.
  I am trying to realise a custom ruleset for the Server System firewall.
  I would like to know if there is a list of Protocols that are actively supported by the gui.
  I have tried to introduce rules to the advanced interface in accordance with ipfw, ( or my interpretation of the gui understanding of ipfw but find that some of my rules are unacceptable.
  A point of example is to set the protocol to other and introduce a rule relating to tun0, it seems the gui cannot configure this.
  If possible i would like to come to an understanding with the gui.
  At this point, it appears i have three options.
  1. Bend my rulesets to accomodate gui ability.
  2. Bypass the gui with sunsheild
  3. Bypass the gui with a custom ruleset script.
  written in ipfw 8.
  Any comments on my understanding and what is considered to be the optimal way to go would be gratefully received.
  Many thanks.
    Mac OS X (10.4.3)   Ipod; X Serve G5 Dual; G4 stuff;

  In answer to myself....
  Having spent a couple of days on this issue i have come to the following conclusions..
  ~ The firewall gui is better than i thought and allows me to do 90% of what i want to, but does take some getting used to. - especially as i am new to ipfw2
  in order to understand what IPfw commands are supported you need to access man ipfw from the terminal.
  This explains the syntax and helps understand the way the default firewall rules are configured.
  ~ I decided not to go down the Sunsheild / Other Bolt on interface, in reality they do not allow me to acheive any more, it just makes things a little easier to comprehend.
  ~ Writing shell scripts is not the solution (in my opinion).
  Software updates could really screw things up, and that cannot happen.
  i admit that i am surprised that the Mac does not fully support ipfw2 at terminal level. - but has its own syntax, to confuse the issue.
  Although many Mac users seem to consider a firewall un-necessary, i can not subscribe to this.
  My Conclusion.
  The Mac Firewall is very good, but could be yet improved.
  I still love my Xserve and it looks great.

• Firewall Configuration for Leopoard 10.5.2

  Hi Members,
  I would like to know how to configure firewall on my macbook?
  Any suggestion!
  Regards
  Vikram

  macworld article -Understanding and using Leopard Firewall
  But be aware that the gui in leopard configures an application firewall.
  If you want to configure IPFW the unix firewall that is also built into leopard take a look at water roof

• ACE: as firewall and NAT. inbound and outbound originals

  Hi Team,
  This time no load balancing is required.
  Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
  Both of our servers will work indipendently for this purpose.
  I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
  Regards to all
  SS

  Gilles,
  Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
  The above real server with private IP is now going to make a different connection to the internet. ie,
  outbound traffic and related reply traffic need handling. (no load balancing planned).
  Detination NAT, Static NAT sounds interesting
  Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
  SS

• How to configure NAT in latest AirPort Utility?

  Ok, where the heck did the NAT configuration section go in the latest AirPort Utility (I am running v6.1 under 10.7.4). It *used* to be under Network->NAT but it is now missing/hidden. Good times.
  Any help would be much appreciated!
  -BT

  Hey Bob Timmons,
  I am running Mountain Lion (10.8.1) and airport utility 6.1. I am also trying to open up a port. I downloaded airport utility 5.6 like you mentioned but it won't let me install it because it says the discs are not compatible with that version. So I'm guessing 5.6 doesn't play nicely with Mountain Lion. Does that sound correct? Any help is appreciated.
  Sorry about the link to the photo instead of attaching it directly. It wouldn't let me attach it.
  http://s11.postimage.org/573eelzpv/Screen_Shot_2012_09_11_at_5_37_08_PM.png